CVE-2020-28579
published 2020-11-18CVE-2020-28579: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send a specially crafted HTTP…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
49.29%
98.7th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send a specially crafted HTTP message and achieve remote code execution with elevated privileges.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_web_security_virtual_appliance | — | — |
| trendmicro | interscan_web_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -ski -d 'wherefrom=&wronglogon=no&uid=reports_only_user&passwd= &pwd=Log+On' https:// :8443/uilogonsubmit.jsp↗
commandcurl -ski --cookie 'JSESSIONID=B3C8680FE9EEE804422FD8813D58496A' -d 'op=send&url=MyUrl&sender_note=MySendNote&mailsubject=MyMailSubject&sender_addr='$(python -c "print 'A'*0x10000") https:// :8443/urlf_reclassifyurl.jsp?CSRFGuardToken=55MYNQKMBK8KC3EB9TXC3FKOQH372OGX↗
- →Monitor for large POST requests to /urlf_reclassifyurl.jsp on port 8443 with an oversized sender_addr parameter (e.g., repeated 'A' characters), indicative of a stack buffer overflow attempt via strcat in MailNotification. ↗
- →Detect POST requests to /rest/windows_client_status on port 8443 with an oversized password parameter, indicative of the unauthenticated stack buffer overflow (CVE-2020-28578) via strcpy in Java_com_trend_iwss_gui_IWSSJNI_DecryptPasswd. ↗
- →Alert on POST requests to /servlet/com.trend.iwss.gui.servlet.ManageVLANSettings on port 8443 containing shell metacharacters in VLAN-related parameters, indicative of command injection via AddVLANItem calling system(). ↗
- →The exploit chain for CVE-2020-28579 requires a valid session (JSESSIONID cookie) and a CSRFGuardToken; correlate authenticated sessions followed immediately by anomalously large POST bodies to /urlf_reclassifyurl.jsp. ↗
- →Successful exploitation results in code execution as the 'iscan' OS account; alert on unexpected processes spawned by the iscan user on IWSVA appliances. ↗
- ·Exploitation of CVE-2020-28579 requires authentication; a low-privileged 'reports only' account is sufficient, lowering the bar for attackers with any valid credentials. ↗
- ·The vulnerable MailNotification function is in libuiauutil.so; if this shared library is updated or patched, the overflow vector is removed. Verify the library version on deployed appliances. ↗
- ·The attack targets Trend Micro IWSVA 6.5 SP2 build 1901 specifically; confirm build number before applying detection rules to avoid false positives on patched builds. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2020-11-18
Published